To access Google Cloud Platform (GCP) Artifact Registry from a local Kubernetes cluster using a service account key file, you need to follow these steps:
- Create a GCP Service Account and Key File
- Create a Kubernetes Secret with the Service Account Key
- Configure Your Kubernetes Deployment to Use the Secret
- Pull Images from Artifact Registry
Step-by-Step Guide
1. Create a GCP Service Account and Key File
- Create the Service Account:
gcloud iam service-accounts create my-service-account --display-name "My Service Account"
- Grant the Necessary Roles to the Service Account:
gcloud projects add-iam-policy-binding <YOUR-PROJECT-ID> \
--member="serviceAccount:my-service-account@<YOUR-PROJECT-ID>.iam.gserviceaccount.com" \
--role="roles/artifactregistry.reader"
Replace <YOUR-PROJECT-ID> with your GCP project ID.
- Create and Download the Key File:
gcloud iam service-accounts keys create key.json \
--iam-account my-service-account@<YOUR-PROJECT-ID>.iam.gserviceaccount.com
2. Create a Kubernetes Secret with the Service Account Key
- Create the Secret:
kubectl create secret docker-registry gcp-artifact-registry \
--docker-server=LOCATION-docker.pkg.dev \
--docker-username=_json_key \
--docker-password="$(cat key.json)" \
--docker-email=your-email@example.com
Replace:
-
LOCATIONwith the location of your Artifact Registry (e.g.,us-central1). -
your-email@example.comwith your email.
3. Configure Your Kubernetes Deployment to Use the Secret
Update your Kubernetes deployment YAML to reference the secret for pulling images.
- Update Deployment YAML:
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
spec:
replicas: 1
selector:
matchLabels:
app: my-app
template:
metadata:
labels:
app: my-app
spec:
containers:
- name: my-app
image: LOCATION-docker.pkg.dev/PROJECT-ID/REPOSITORY/IMAGE:TAG
ports:
- containerPort: 8080
imagePullSecrets:
- name: gcp-artifact-registry
Replace the placeholders:
-
LOCATIONwith your Artifact Registry location (e.g.,us-central1). -
PROJECT-IDwith your GCP project ID. -
REPOSITORYwith the name of your repository. -
IMAGE:TAGwith the specific image and tag you want to use.
- Apply the Deployment:
kubectl apply -f deployment.yaml
4. Verify the Setup
- Check the Deployment Status:
kubectl get pods
- Describe a Pod to Verify Image Pull:
kubectl describe pod <POD-NAME>
Look for the events section to see if the image was pulled successfully.
Summary
By following these steps, you configure your local Kubernetes cluster to authenticate with GCP Artifact Registry using a service account key file. This involves creating a service account and key, storing the key as a Kubernetes secret, and updating your deployments to use the secret for image pulls. This setup ensures secure and efficient access to your container images stored in GCP Artifact Registry.
Refs
https://cloud.google.com/artifact-registry/docs/docker/pushing-and-pulling#key
https://cloud.google.com/artifact-registry/docs/docker/authentication#json-key
Top comments (1)
The enhanced version of this would be to not copy a password over to k8s but instead establish trust between GCP and K8s like described here medium.com/google-cloud/keyless-go... (in this case, trust is established between GCP and Github)